Question re: EsetIpBlacklist

[j-gray 33]

In ESMC, ESET Server Security logs a detection type 'Security vulnerability exploitation attempt' caused by EsetIpBlacklist. The detection type is labelled as 'Firewall'.

As the Server Security policies don't have a specific 'Firewall' section or component, can anyone clarify what component exactly is responsible for this protection?

My assumption is that it's the IDS component of Network Protection, but I'm not entirely sure.

TIA

[Marcos 4,935]

Yes, it's Network protection that blocks addresses seen to generate malicious communication. Do you suspect a particular IP address to be blocked incorrectly?

[j-gray 33]

4 minutes ago, Marcos said:

Yes, it's Network protection that blocks addresses seen to generate malicious communication. Do you suspect a particular IP address to be blocked incorrectly?

Thanks for the reply.

There's no visibility or information (other than blacklist) to help us determine why the IP is being blocked. All we know is that they are IP's that are external to our network.

Is there any more detailed information logged somewhere?

[Marcos 4,935]

10 minutes ago, j-gray said:

Is there any more detailed information logged somewhere?

No. However, if you provide the IP address I could search for possible reasons.

[j-gray 33]

9 minutes ago, Marcos said:

No. However, if you provide the IP address I could search for possible reasons.

Thanks -I just sent the IPs via PM. Hope that's ok.

[j-gray 33]

@Marcos The bulk of the hits are coming frequently and from one cloud hosting provider: 192.241.128.0/17

We have IDS and IPS in place at our edge, but they're not detecting this traffic.

Is the ESET component simply a block list, or is there some other logic/analysis in place?